-
Notifications
You must be signed in to change notification settings - Fork 30.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Type confusion bug in WriteFloatGeneric #12179
Comments
See #12119 for a PR that just proposes dropping the Also, tbh it seems like a bit of a stretch to call this a security issue. If you have access to the |
That was actually brought up by my email to security@nodejs.org on 3/27, but I didn't want to create a redundant issue. The snippet for that the OOB write I had was: const buf = Buffer.from('w00t');
buf.writeFloatLE(0, 4, true); But this is a different kind of bug: it's a type confusion bug. It just so happens to be in the same code. I think dropping the |
Saw that you're on top of these! Thanks @TimothyGu! That fixed the oob issues (didn't check, but I trust). The type confusion remains, I think. On 2d039ff, this will segfault: function FB() {this.x=33; this.y=44;}
require('util').inherits(FB, Buffer);
Buffer.prototype.writeFloatLE.call(new FB(), 0, 0, true); |
You are right. I'm not sure how performance-heavy it would be to check for validity in all the write*() functions, though it does look necessary. |
@TimothyGu I think the real solution is to work with the V8 team to make these V8 compiler intrinsics. Then the JIT could eliminate the overhead. If only V8 had a LuaJIT-style integrated FFI... |
Dropping |
Accidentally closed it... reopening |
This ports the Buffer#write(Double|Float)(B|L)E functions to JS. This fixes a security issue concerning type confusion and fixes another possible crash in combination with `noAssert`. In addition to that it will also significantly improve the write performance. Fixes: nodejs#12179 Fixes: nodejs#8724
This ports the Buffer#write(Double|Float)(B|L)E functions to JS. This fixes a security issue concerning type confusion and fixes another possible crash in combination with `noAssert`. In addition to that it will also significantly improve the write performance. Fixes: nodejs#12179 Fixes: nodejs#8724 PR-URL: nodejs#18395 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Anatoli Papirovski <apapirovski@mac.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
The buffer writeFloatLE family functions are prone to code [remote] execution attacks via type confusion. The binding layer WriteFloatGeneric function just casts the first argument:
node/src/node_buffer.cc
Line 826 in 0e6c336
Few methods are called on the ts_obj after which if you choose a good argument means executing code with some choice.
For example, the following doesn't crash until the memcpy on my machine:
The text was updated successfully, but these errors were encountered: